Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
104s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
12/04/2023, 17:48
Static task
static1
General
-
Target
97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe
-
Size
1.1MB
-
MD5
3bc2f23f4b79eec2ace7389de491795e
-
SHA1
b4b05a8390a68c7af5738f38fc817aae861ee8c9
-
SHA256
97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769
-
SHA512
851dc1714a378ebd944a49b86116c86a1e7f5725ef75924ffc0132bf4f3391534b7242f73fdee4dad64def976bb10282c7d4057d3a170a8994bfd9bf6965eaf2
-
SSDEEP
24576:My+GEggJ7W/jMjiBk6n3Nw+9pPaVEA8FZDC7HYvSIN+NZfTL:7+BkjMo3NwSQEFZQYpN+NxT
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
diza
185.161.248.90:4125
-
auth_value
0d09b419c8bc967f91c68be4a17e92ee
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr721059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr721059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr721059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr721059.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr721059.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2524 un421521.exe 3192 un072900.exe 3944 pr721059.exe 1980 qu765473.exe 4260 1.exe 3500 rk823693.exe 3812 si365152.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr721059.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr721059.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un072900.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un072900.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un421521.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un421521.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 4188 3812 WerFault.exe 73 4956 3812 WerFault.exe 73 4596 3812 WerFault.exe 73 3592 3812 WerFault.exe 73 3512 3812 WerFault.exe 73 3804 3812 WerFault.exe 73 3228 3812 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3944 pr721059.exe 3944 pr721059.exe 4260 1.exe 3500 rk823693.exe 4260 1.exe 3500 rk823693.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3944 pr721059.exe Token: SeDebugPrivilege 1980 qu765473.exe Token: SeDebugPrivilege 4260 1.exe Token: SeDebugPrivilege 3500 rk823693.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2524 2468 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe 66 PID 2468 wrote to memory of 2524 2468 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe 66 PID 2468 wrote to memory of 2524 2468 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe 66 PID 2524 wrote to memory of 3192 2524 un421521.exe 67 PID 2524 wrote to memory of 3192 2524 un421521.exe 67 PID 2524 wrote to memory of 3192 2524 un421521.exe 67 PID 3192 wrote to memory of 3944 3192 un072900.exe 68 PID 3192 wrote to memory of 3944 3192 un072900.exe 68 PID 3192 wrote to memory of 3944 3192 un072900.exe 68 PID 3192 wrote to memory of 1980 3192 un072900.exe 69 PID 3192 wrote to memory of 1980 3192 un072900.exe 69 PID 3192 wrote to memory of 1980 3192 un072900.exe 69 PID 1980 wrote to memory of 4260 1980 qu765473.exe 70 PID 1980 wrote to memory of 4260 1980 qu765473.exe 70 PID 1980 wrote to memory of 4260 1980 qu765473.exe 70 PID 2524 wrote to memory of 3500 2524 un421521.exe 71 PID 2524 wrote to memory of 3500 2524 un421521.exe 71 PID 2524 wrote to memory of 3500 2524 un421521.exe 71 PID 2468 wrote to memory of 3812 2468 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe 73 PID 2468 wrote to memory of 3812 2468 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe 73 PID 2468 wrote to memory of 3812 2468 97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe"C:\Users\Admin\AppData\Local\Temp\97e08219837f3e3e3f3dc2edeeb281697fca0c31ee35c6845b5d6982fbe3b769.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un421521.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un421521.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un072900.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un072900.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr721059.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr721059.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu765473.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu765473.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823693.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk823693.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si365152.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si365152.exe2⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 6283⤵
- Program crash
PID:4188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 7043⤵
- Program crash
PID:4956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 8403⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 8523⤵
- Program crash
PID:3592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 8803⤵
- Program crash
PID:3512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 9043⤵
- Program crash
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 10763⤵
- Program crash
PID:3228
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD51d6ceca43b63d4a05a546644f680f28e
SHA1c7b606759ed3c69d4288a6524fb4a42e439785da
SHA256fde652c054954e5003a3c37ab2aa83e8a3305018b0f3ef5c0b29784af088256c
SHA5128a8ea47baf07e59c2e62af762ac8b660ef4651ad01cdf810e965f807b0d0ec8e4dbf1f02cbcc8d1000491834a86224bee793b260cedd57815f703ee0fd6a735b
-
Filesize
395KB
MD51d6ceca43b63d4a05a546644f680f28e
SHA1c7b606759ed3c69d4288a6524fb4a42e439785da
SHA256fde652c054954e5003a3c37ab2aa83e8a3305018b0f3ef5c0b29784af088256c
SHA5128a8ea47baf07e59c2e62af762ac8b660ef4651ad01cdf810e965f807b0d0ec8e4dbf1f02cbcc8d1000491834a86224bee793b260cedd57815f703ee0fd6a735b
-
Filesize
853KB
MD5a0ef6339725ef2338655fd5a0b8b22cd
SHA138f14590e85fcf75396397a41f3525b4119204b2
SHA256d9d076be4cce88077d73287a14a443a09f4d51b43535fde9de51358880e2b9dd
SHA512a148a2ec6ef8253e956b75409faead11c7a38e86d4357f88c734a3706583803e344e41560d16c950fa8d6a536f00276092f677fa86a37aaa3864304b1b5a0727
-
Filesize
853KB
MD5a0ef6339725ef2338655fd5a0b8b22cd
SHA138f14590e85fcf75396397a41f3525b4119204b2
SHA256d9d076be4cce88077d73287a14a443a09f4d51b43535fde9de51358880e2b9dd
SHA512a148a2ec6ef8253e956b75409faead11c7a38e86d4357f88c734a3706583803e344e41560d16c950fa8d6a536f00276092f677fa86a37aaa3864304b1b5a0727
-
Filesize
168KB
MD5c52ebada00a59ec1f651a0e9fbcef2eb
SHA1e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA25635d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA5126b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2
-
Filesize
168KB
MD5c52ebada00a59ec1f651a0e9fbcef2eb
SHA1e1941278df76616f1ca3202ef2a9f99d2592d52f
SHA25635d5cff482e78c0137b3c51556d1e14aab0f38921ebfe46abc979a826301d28e
SHA5126b11124fa6cfa1d2fdb8b6a4cc237b4a65ecbeb1797179568dcef378041ce05bdf0af9b6434cc0b3feb2479112d003b0fa5c0d2178c73bc65d35f5c2cfb36be2
-
Filesize
699KB
MD579aabd589b8fa22b304b03d3cb0b9de4
SHA15aadb2c7ba23a9f2ec159d5b278e865a83aab9f1
SHA256caaedc0fbb9ac2111923b3d8dc7a7e0af0ebd8f39a4c98ec8007cac180e92d6b
SHA512aea5483bcb5f8e6dc5509d09ca48df1469fcb397a687ef9c7fbcdae65032a938035b792d09def47216eab04b3221a0ef9c2b6c8ab6f3a3e98b2fd8dcedc24bcf
-
Filesize
699KB
MD579aabd589b8fa22b304b03d3cb0b9de4
SHA15aadb2c7ba23a9f2ec159d5b278e865a83aab9f1
SHA256caaedc0fbb9ac2111923b3d8dc7a7e0af0ebd8f39a4c98ec8007cac180e92d6b
SHA512aea5483bcb5f8e6dc5509d09ca48df1469fcb397a687ef9c7fbcdae65032a938035b792d09def47216eab04b3221a0ef9c2b6c8ab6f3a3e98b2fd8dcedc24bcf
-
Filesize
403KB
MD5cb6cb18651b864b90ceae4f3469101f9
SHA1f7bc16fd7b770848322a1cf8a9d3af17d4b4f518
SHA25674a10428f5a1ce95ad58c3cee761eae5fbb95f64bc7d0bef14bfcb9dd5171b29
SHA512e7d25ed10ab78e65d951cc74fd450555bf8ee5f237dc842c455e0919403610044c238aaf40c97cb2d20d84ee584148bb65ea30f48c4dd99923e5dd4da73ab832
-
Filesize
403KB
MD5cb6cb18651b864b90ceae4f3469101f9
SHA1f7bc16fd7b770848322a1cf8a9d3af17d4b4f518
SHA25674a10428f5a1ce95ad58c3cee761eae5fbb95f64bc7d0bef14bfcb9dd5171b29
SHA512e7d25ed10ab78e65d951cc74fd450555bf8ee5f237dc842c455e0919403610044c238aaf40c97cb2d20d84ee584148bb65ea30f48c4dd99923e5dd4da73ab832
-
Filesize
588KB
MD5602b8d702d6eacd5942dfc8da6108d15
SHA117144cfa28563db9cd0deecb5e7f9c15d13d2d7f
SHA2565691b3b8dd7acfb76eba9e509031db0064d59f912b63c55c0830af63f3862b54
SHA5125eb5a8c0e149ff257f795450d5d04a046a01b2bba92eb3759a07fbe02584f1a3f756a992474d1a23a5cc7e7635a96fc7cd001f23221fe31e03869fa5d17ac82d
-
Filesize
588KB
MD5602b8d702d6eacd5942dfc8da6108d15
SHA117144cfa28563db9cd0deecb5e7f9c15d13d2d7f
SHA2565691b3b8dd7acfb76eba9e509031db0064d59f912b63c55c0830af63f3862b54
SHA5125eb5a8c0e149ff257f795450d5d04a046a01b2bba92eb3759a07fbe02584f1a3f756a992474d1a23a5cc7e7635a96fc7cd001f23221fe31e03869fa5d17ac82d
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1